This is the mail archive of the mailing list for the GCC project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Signed int overflow behaviour in the security context

Robert Dewar wrote:
>> Making a call here before knowing this is not sensible.  In fact,
>> I'm tempted to argue that it is generally a bad idea to do
>> optimizations that lead to the same expression being evaluated to
>> different results without making the user explicitly request them.
> People always say this, but they don't really realize what they are 
> saying. This would mean you could not put variables in registers, and
>  would essentially totally disable optimization.

I don't see why that demand would prevent register allocation.  Maybe
you can explain that to me.

My point essentially is that it's not a good idea to have "x-y" mean
something different in different parts of the code.  That's just too
hard for the user to understand and deal with properly.

> The -O2 flag is exactly a request to do optimizations that may cause
> wrong programs to generate different results.

Then maybe it shouldn't be the default in autoconf.  But wasn't -O3 the
set of optimizations considered potentially unsafe?

> Note by the way that formally safety-critical or security-critical 
> software is very unlikely to be compiled at -O2 anyway.

Oh, the last formally security-critical application I've been working on
(FIPS 140-2 certification pending) *was* compiled with -O2, because the
resources on the embedded target device were scarce.

But I'm talking about the security of your average desktop system anyways.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]